There is a patch to boost that should get into both CentOS and RHEL 7.
I already sent an e-mail to the person who last modified the rpm spec
file but I have no idea if he will even see the e-mail.
The small patch -
https://github.com/boostorg/asio/pull/23/files
The problem it fixes -
boost assumes that the TLS supports SSLv3 which the OpenSSL currently in
RHEL / CentOS 7 does.
However SSLv3 is incredibly old and is no longer considered to be secure
and should not be used, so some alternative TLS implementations do not
even include support for it.
LibreSSL is one such example, and some distributions (e.g. Debian) have
removed SSLv3 support from the OpenSSL library they ship.
Given how old and insecure SSLv3 is and given the incredibly long
support cycle of RHEL 7 it would not surprise me at all if removal of
SSLv3 from the OpenSSL library in RHEL 7 is going to happen at some
point in the next few years.
As such getting this patch into boost will be necessary.
The patch does not have any impact on boost when using TLS libraries
that do support SSLv3 so it will not do any harm to get it into the
packaging now.
Getting it into the packaging now means boost is ready when the change
is made, and it also makes life a lot easier for people like me who have
to use an alternate TLS implementation because we need the EC stuff that
RHEL removed from OpenSSL due to potential patent reasons that the
lawyers were afraid of.
I'm hoping someone on this list with some influence understands the
issue. Filing a bug report with CentOS I suppose is also an option, but
given that the patch doesn't solve a problem with any *current* CentOS
packages, I doubt that would result in the bug trickling up to RHEL and
they are the ones that have to apply the patch for it to make it into
CentOS.
Thank you for your time
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
